Introduction

1. The Department of Foreign Affairs and Trade (DFAT) is responsible for advancing the interests of Australia and Australians overseas. This includes administering the Australian Government’s Passport Services Program, which seeks to provide Australians with access to secure international travel documentation through the delivery of high quality passport services.

2. The Program is expected to cost $201.7 million in 2011–12 and is administered by the Australian Passport Office (APO), which has some 580 staff located in Canberra and across its network of offices in Australia. Demand for passports has increased in recent years with the number of passports issued each year almost doubling since 2002–03 (from 0.9 million in 2002–03 to 1.8 million in 2010–11). At the same time, the APO has improved the passport booklet’s security features and the integrity of the passport issuing process. As part of this ongoing process, in 2010–11, the APO was provided with $100.8 million over six years for the Passport Redevelopment Program, to deliver a new passport issuing system to enhance the security and efficiency of passport operations.

3. Australian passports currently cost $233 for an ordinary adult passport¹ and are regarded internationally as high-quality identity documents. The latter is a key reason why Australians are granted visa-free travel to a number of overseas countries. In addition to their primary purpose of facilitating international travel, passports are increasingly used by their holders as personal identification to facilitate everyday transactions. However, if lost, stolen or otherwise fraudulently obtained, passports can be used by fraudsters to establish false identities and facilitate financial crime or other crime such as people smuggling or terrorist acts.

4. Since the September 11 2001 terrorist attacks in the United States of America (USA), there has been an increased focus around the world on strengthening identity security, including the security of international travel documents. A key initiative in improving document security has been the introduction of the ePassport. ePassports contain a microchip which stores a digital photograph and other personal details of the passport holder. The microchip adds additional security features to the booklet which are intended to make the document more difficult to fraudulently produce. In implementing ePassports, countries are required to meet international standards established by the International Civil Aviation Organization (ICAO).

5. Another key driver for Australia’s introduction of ePassports was its participation in the USA’s Visa Waiver Program. This program allows Australian citizens, in certain circumstances, to enter the USA without first obtaining and paying for a visa. To remain eligible for the program, participating countries were required to introduce ePassports by 26 October 2006.

6. The first Australian ePassport (the ‘M’ series) was introduced on 24 October 2005. This was replaced by the ‘N’ series ePassport in May 2009, which further enhanced the document’s electronic and physical security features. The next ePassport—the ‘P’ series—is currently under development with an expected release date between March and May 2014.

7. At the same time as implementing the ePassport in 2005, the APO sought to strengthen its passport issuing process by taking advantage of the passport’s biometric capabilities. The APO introduced facial recognition (FR) matching into its eligibility assessment process to reduce the incidence of passport fraud. The FR check seeks to identify potentially fraudulent passport applications by identifying those who might already hold a passport in a different name. While an important function, it is one of about 200 checks performed to verify an applicant’s identity and confirm their eligibility for a passport.

8. The digital image on the microchip allows interaction with biometric-based systems that are used by border control officials. The Australian system, known as SmartGate, converts the digital image on the microchip into a biometric template. This template is then compared to a second template created from a live photograph of the passport holder presenting the booklet at the border. This form of biometric matching is intended to both enhance identity verification and improve the efficiency of passenger processing.²

Audit objective and scope

9. The objective of the audit was to assess the effectiveness of DFAT's implementation of biometric technology to meet international requirements for enhanced passport security. In particular, the audit examined whether:

• Australian ePassports meet international requirements, and coordination with Australian stakeholders is effective;
• Australian biometric passport technology is fit for purpose and has enhanced passport security;
• personal data on the passport microchip is secure and DFAT maintains an appropriate focus on both protecting privacy and client satisfaction; and
• arrangements are in place to evaluate the effectiveness of the ePassport and to monitor risks.

Overall conclusion

10. The implementation and management of biometric technology by passport issuing authorities around the world is a relatively new and challenging function, particularly given the ePassport’s dual aims of enhancing passport security and improving the efficiency of passenger processing at the border. In Australia, the task of introducing ePassports occurred against a backdrop of increasing general demand for passports by Australian travellers. Today, there are more than 8.8 million Australian ePassports on issue which represents over 78 per cent of all Australian passports in circulation.

11. The ANAO concluded that the APO has effectively implemented biometric technology and met international requirements and standards for enhanced passport security, while playing an active and influential role in developing these standards. With the introduction of the Australian ePassport on 24 October 2005, Australia became one of the first countries to introduce an ePassport, comfortably meeting the USA’s Visa Waiver Program deadline. The APO’s relationships with key Australian stakeholders are collegial and cooperative in nature.

12. The ePassport’s electronic security measures, combined with the booklet’s security features, make the task of producing a fraudulent passport significantly more complex than it was prior to the ePassport’s introduction. There are no known instances of data on the Australian ePassport’s microchip being altered, and only one microchip has been found to have failed due to an inherent fault. Overall, the Australian ePassport has helped shift the focus of fraudsters from attempting to alter passport booklets to attempting to fraudulently obtain genuine passports.

13. Although not an international requirement, the APO has incorporated FR matching into its passport issuing process to improve identity verification and reduce the incidence of passport fraud. In this regard, the FR system has detected many cases of identity fraud that would not otherwise have been detected.

14. While the introduction of Australian ePassports has been generally sound, there are a number of weaknesses in some of the APO’s supporting administrative arrangements that have the potential to impede effective management decision-making and the monitoring and reporting of outcomes. In particular, while a timely review of the FR system was undertaken in 2008, most of the review observations and recommendations had still not been addressed in 2011. Weaknesses remained in the general system documentation, documentation relating to the testing and approval of FR system settings, and the training and guidance material available to staff involved in FR matching. During the audit the APO developed a plan to take these outstanding issues forward, but this is an area that would benefit from active management oversight.

15. At the time of the audit there were difficulties in extracting accurate data from the APO’s systems on passport fraud, which weakens the assurance that the nature and incidence of that fraud has been carefully monitored and accurately reported. In particular, the incorrect recording of the detection method for some FR matches impairs the APO’s ability to accurately quantify the success of the FR system in detecting fraud. The APO has work underway to address these weaknesses.

16. Furthermore, while the Defence Signals Directorate (DSD) has advised the ANAO that the microchip’s electronic security features should be moderately secure provided they have been applied effectively, at the time of the audit the APO had not conducted independent vulnerability testing of the application of these security features. While DSD has now been engaged to carry out this testing, there would be merit in the APO periodically reviewing the need for further vulnerability testing in consultation with DSD. With regard to the monitoring of more general passport risks, the APO did not have an up-to-date formal risk management plan covering its key strategic and operational risks at the time of the audit. However, it has now developed a strategy to manage these risks.

17. The APO consistently meets its target of issuing passports within 10 working days and was able to maintain its performance against this target during the introduction of the ePassport. However, there are opportunities to develop a broader range of quantitative and qualitative indicators for assessing passport integrity and performance. The APO has agreed to establish new indicators to monitor performance.

18. Overall, the APO has been responsive to the issues raised during the audit. In view of the work commenced or outlined by the APO to address these issues, the ANAO has made only two recommendations aimed at further strengthening the APO’s management of ePassports.

Key findings

Meeting International Requirements

19. The introduction of the Australian ePassport in 2005 was driven by two key international requirements: the need to comply with various international standards for ePassport design; and the desire to continue Australia’s participation in the USA’s Visa Waiver Program, which facilitates the travel of Australian citizens to the USA.

20. The APO assisted in developing international standards for ePassports—including the use of the face as the primary biometric, microchip standards and electronic measures to secure the microchip data—and has successfully implemented the key features required in the Australian ePassport.

21. The management of border and identity security is a collaborative effort between federal and state government agencies. To this end, the APO actively participates in relevant interdepartmental activities, promotes its FR capabilities as a resource to assist national law enforcement, and has entered into a mutually beneficial arrangement with the Australian Federal Police for the secondment of a police officer to its Sydney office. Overall, these arrangements indicate a mature and appropriate coordination approach with stakeholders.

22. Notwithstanding this approach, there are opportunities for the APO to strengthen its interaction with stakeholders. In particular, the development of a joint strategy with the Australian Customs and Border Protection Service (Customs and Border Protection) would enable the incidence of ePassports that fail to read at the border to be better measured and managed. In response to this suggestion, the APO and Customs and Border Protection agreed that a joint strategy would be beneficial, with the APO advising that it will seek to establish a joint working group to manage relevant border issues. At the time of the audit, the APO’s strategic intelligence capability was limited, but the APO had already flagged an intention to reinvigorate this capability.

Management and Operation of the Facial Recognition System

23. The APO is continually improving and strengthening its passport issuing process in an effort to ensure that Australian passports are only issued to persons who are entitled to hold them. At the time of the audit, it conducted about 200 checks in assessing an applicant’s eligibility and in validating supporting information. With the introduction of ePassports and FR technology in October 2005, the APO introduced an additional eligibility check to reduce the incidence of passport fraud. This involves matching the applicant's image against other images held in its passport database to reduce the risk that the applicant has already been issued with a travel document in another name.

24. FR matching is not an international requirement and Australia was one of the first countries to introduce it into its passport issuing process. However, most observations and recommendations from a 2008 review of the APO’s FR system, including key system documentation and reducing the APO’s reliance on an individual officer for system maintenance and support, had still not been addressed in 2011. The APO has since engaged a contractor to document its FR systems, and developed a strategy to overcome this potential single point of failure. It has also developed a Future Directions Plan to take other outstanding issues forward. However, this is an area that would benefit from ongoing active management oversight and periodic progress review, to ensure that key issues are addressed in a timely manner.

25. The APO uses a commercially supplied biometric algorithm to convert passport photographs into templates and to compare the applicant’s template to all other templates in its database. The FR system has been updated for new algorithms, but the APO was unable to locate documentation of its testing methodology in comparing the effectiveness of the new and old algorithms, and the consideration of change proposals by management. In response, the APO advised that the methodology is now being documented and a health check of the

FR system will be undertaken in the first half of 2012.

26. As part of this process, it will also be important for the APO to develop and document a mechanism for ongoing assessment and adjustment of the FR system settings and monitoring of outcomes, to help optimise system performance. This approach will better equip the APO Senior Executive to weigh future trade-offs between staff workload and the probability of fraud detection. Documenting management’s consideration of proposed changes to system settings will also strengthen accountability and facilitate future review.

27. The APO uses people to visually inspect and verify submitted photographs against international standards, and considers that it meets all international requirements in this regard. While automated image checking software has the potential to improve image quality and the effectiveness of FR technology during application processing and at the border, it is not an international requirement nor is it practical to implement at this time. Its use would only be possible if the APO changed from its current process of scanning submitted photographs to the live capture of digital images. The APO intends to pilot live capture as part of its Passport Redevelopment Program.

28. The FR system identifies potential matches and presents those in a gallery for an APO Eligibility Officer to consider whether any require more detailed investigation by the fraud unit. While the FR gallery user interface has been improved since its introduction in 2005, it remains difficult for Eligibility Officers to use efficiently and effectively. The APO expects to redesign, test and deploy an enhanced FR gallery in the first half of 2012, to overcome these issues.

29. Appropriate and up-to-date training and guidance material is important to support staff involved in the FR matching process. While weaknesses in both areas were apparent at the time of the audit, the APO was taking steps to overcome them. In particular, it advised that it will update its FR training and guidance material, and develop a medium to long-term training strategy by June 2012. In addition, the APO will consider introducing periodic mandatory training and assessments for staff involved in FR decision-making, and advised that it has now put in place a system to automatically record the completion of training modules. The APO is also funding research work that should provide useful information on how to optimise Eligibility Officers’ training and help improve their performance in matching faces.

The Impact of Facial Recognition Matching on Passport Fraud

30. The number of new passport fraud cases detected by the APO and other agencies increased from 178 in 2003–04 to 849 in 2010–11. The APO attributes this increase to the growing number of passports issued and to its greater investigative capability rather than to an increase in the rate or incidence of fraud per se.

31. FR matching has been attributed as detecting on average about 22 cases of fraud a year since its introduction. However, this figure is understated by an unknown amount because of the incorrect recording of the detection method for some FR matches.

32. The APO advised that a new case management system (‘eCase’) being developed as part of the Passport Redevelopment Program, and an interim solution that was implemented in February 2012, will enable the accurate recording and extraction of fraud statistics in the future.

Securing the ePassport’s Microchip and Protecting Privacy

33. The ePassport employs a number of electronic security features to protect the personal information stored on the microchip against a range of potential threats. While media reports have suggested that the personal information on the microchip is vulnerable to unauthorised access and copying, there are no known instances of fraudsters successfully overcoming the electronic security features of the Australian ePassport.

34. With around 48 per cent of the Australian population holding a passport, the APO holds significant amounts of personal information in its passport systems, including biometric information. It is therefore important that appropriate measures are employed to secure this information and protect holders’ privacy in accordance with the Privacy Act 1988. To this end, the APO put in place effective arrangements to manage the privacy of individual passport holders following the introduction of ePassports in 2005, and the Office of the Australian Information Commissioner has not received a complaint about the APO since that time.

35. The APO’s key system for storing personal details is the Passport Issue and Control System (PICS). While access to PICS is logged in an electronic audit trail, the APO does not proactively use this facility to identify potentially inappropriate database access. A small number of periodic random audits would increase management’s assurance that access to personal records is appropriate. The APO does monitor staff access to the records of a limited number of passport holders whose records are considered to be at higher risk of inappropriate access. However, the arrangement and the criteria used for adding or removing passport holders to this list have not been documented.

36. The APO Canberra conducts a structured induction program that includes a mandatory requirement for new staff to complete a self-paced online privacy module. However, at the time of the audit, privacy refresher training was not mandatory, nor was a record kept of those who had undertaken it. The APO advised that it has now developed a system to identify staff requiring refresher training and to record its completion.

Monitoring ePassport Vulnerabilities and Client Satisfaction

37. The insertion of microchips into passport booklets introduced the potential for microchip failure and inconvenience to the passport holder. Therefore, it is important that the microchip is sufficiently robust to survive the rigours of passport production and use, for its 10-year life. The APO has adopted a sound approach to managing the risk of microchip failure, including testing its robustness during the development of the first ‘M’ series ePassport and obtaining a 12-year warranty from the microchip manufacturer. Only one microchip has been found to have failed due to an inherent fault (out of more than 8.8 million ePassports that have been issued).

38. The APO has also adopted a sound approach to testing the physical security features of the passport booklet, but relies on internationally proven electronic security features to protect the embedded microchip. At the time of the audit the APO had not conducted independent vulnerability testing of their application but, in response to these findings, has now engaged DSD to carry out this testing. The need for further vulnerability testing should be periodically reviewed in consultation with DSD to identify emerging threats, with future independent vulnerability testing to be conducted as required.

39. The APO has included key passport fraud risks in the DFAT-wide Fraud Control Plan, and seven strategic risks in the DFAT-wide Risk Register. However, at the time of the audit, the APO did not have an up-to-date formal risk management plan covering its key strategic and operational risks, which would assist with their regular and systematic review. In response, the APO advised that it has now developed a risk strategy to actively manage its strategic and operational risks.

40. The APO has established a Client Service Charter that outlines service standards and has developed a series of supplementary brochures that provide information to clients on their rights and responsibilities. While client feedback is collected through a number of specific initiatives, at the time of the audit there was no centralised collection or analysis of feedback that is provided by clients at the APO’s network of offices. However, during the audit the APO developed a new feedback policy to identify and share better practice and lessons learned across the APO network.

41. The APO consistently meets its target of issuing passports within 10 working days (average of 3.7 days in 2010–11) and was able to maintain its performance against this target during the introduction of the ePassport in 2005–06 (average of 4.1 days in that year). However, there are opportunities to develop a broader range of quantitative and qualitative indicators for assessing passport integrity and performance and for reporting on the performance of the FR system to the Senior Executive. The APO has agreed to establish new indicators to monitor performance.

Summary of agency response

42. The proposed report was provided to DFAT for comment. DFAT’s summary response to the audit is as follows:

DFAT welcomes the findings of the ANAO report into the management of ePassports. Australia was instrumental in the development of the international standards for the ePassport and in 2005 was one of the first countries to introduce a compliant ePassport. The report acknowledges that DFAT has effectively implemented biometric technology and met the international requirements and standards for enhanced passport security. The report confirms that the ePassport's electronic security measures, combined with the booklet's security features, make the task of producing a fraudulent passport significantly more complex.

DFAT was a pioneer in the use of facial recognition matching in the passport assessment process and remains a world leader in its use. The report acknowledges that, while not an international requirement, DFAT has incorporated the facial recognition capability to improve identity verification and reduce the incidence of passport fraud. DFAT agrees with the recommendation to involve the Defence Signals Directorate in vulnerability testing of the ePassport and believes that their involvement will strengthen the integrity of the ePassport program.

Footnotes

[1]   Different fees apply for seniors, children and frequent travellers, as well as for replacement passports and priority passport processing.

[2]   The ANAO is currently undertaking a performance audit of the Australian Customs and Border Protection Service’s processing of incoming international air passengers.